routing: stricter maxHTLC checks

We require channel updates to have the max HTLC message flag set.

Several flows need to pass that check before channel updates are
forwarded to peers:
* after channel funding: `addToRouterGraph`
* after receiving channel updates from a peer:
  `ProcessRemoteAnnouncement`
* after we update channel policies: `PropagateChanPolicyUpdate`

routing/ann_validation.go

@@ -165,22 +165,25 @@ func VerifyChannelUpdateSignature(msg *lnwire.ChannelUpdate,
 func ValidateChannelUpdateFields(capacity btcutil.Amount,
 	msg *lnwire.ChannelUpdate) error {
 
-	if msg.MessageFlags.HasMaxHtlc() {
-		maxHtlc := msg.HtlcMaximumMsat
-		if maxHtlc == 0 || maxHtlc < msg.HtlcMinimumMsat {
-			return errors.Errorf("invalid max htlc for channel "+
-				"update %v", spew.Sdump(msg))
-		}
+	// The maxHTLC flag is mandatory.
+	if !msg.MessageFlags.HasMaxHtlc() {
+		return errors.Errorf("max htlc flag not set for channel "+
+			"update %v", spew.Sdump(msg))
+	}
 
-		// For light clients, the capacity will not be set so we'll skip
-		// checking whether the MaxHTLC value respects the channel's
-		// capacity.
-		capacityMsat := lnwire.NewMSatFromSatoshis(capacity)
-		if capacityMsat != 0 && maxHtlc > capacityMsat {
-			return errors.Errorf("max_htlc(%v) for channel "+
-				"update greater than capacity(%v)", maxHtlc,
-				capacityMsat)
-		}
+	maxHtlc := msg.HtlcMaximumMsat
+	if maxHtlc == 0 || maxHtlc < msg.HtlcMinimumMsat {
+		return errors.Errorf("invalid max htlc for channel "+
+			"update %v", spew.Sdump(msg))
+	}
+
+	// For light clients, the capacity will not be set so we'll skip
+	// checking whether the MaxHTLC value respects the channel's
+	// capacity.
+	capacityMsat := lnwire.NewMSatFromSatoshis(capacity)
+	if capacityMsat != 0 && maxHtlc > capacityMsat {
+		return errors.Errorf("max_htlc (%v) for channel update "+
+			"greater than capacity (%v)", maxHtlc, capacityMsat)
 	}
 
 	return nil